WebApp Sec mailing list archives
Re: IIS session cookies
From: securityarchitect () hush com
Date: Sat, 7 Dec 2002 18:51:48 -0800
Not knowing much about Windows, ASP or .NET, does IIS allow you to Set sessionID length ? If so how ? How does it move users from a non-SSL session to a SSL session (ie does a new value get set) ? On Fri, 06 Dec 2002 07:18:35 -0800 Kevin Spett <kspett () spidynamics com> wrote:
From http://www.securiteam.com/windowsntfocus/6C00L003GA.html: "LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit session ID (see later for how session ID is created) Session ID is created from a random seed number that is generated when the system starts up). The random seed is incremented every time a new session starts. Note that the "munge" doesn't increment in the same way that the Session ID does. Since the 8 char string after ASPSESSIONID is a "munge" of the process ID it will be (a) the same for all "In-process" applications (b) a different value is shared for all "Medium isolation (pooled)" applications and (c) unique for each Out-of-process application." From http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html/ aspwsm.asp: "The following steps are taken when generating ASP session cookies: * Session ID values are 32-bit long integers. * Each time the Web server is restarted, a random Session ID starting value is selected. * For each ASP session that is created, this Session ID value is incremented. * The 32-bit Session ID is mixed with random data and encrypted to generate a 16-character cookie string. Later, when a cookie is received, the Session ID can be restored from the 16-character cookie string (ASPSESSIONID). * The encryption key used is randomly selected each time the Web server is restarted." I don't know for sure, but I'm guessing that they're using CryptGenRandom for the PRNG, which uses mouse & keyboard events timing, system clock, system time, system counter, memory status, free disk clusters, etc. To my knowledge, it's sufficiently "random" to make them unpredictable in practical terms. Hope that helps. Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "Cade Cairns" <cairnsc () securityfocus com> To: "Kevin Spett" <kspett () spidynamics com> Cc: <webappsec () securityfocus com> Sent: Friday, December 06, 2002 2:48 AM Subject: Re: IIS session cookiesI'm curious whether the ASPSESSIONID value generated is predictableand ifso, to what extent. Cade Cairns Symantec Corporation On Thu, 5 Dec 2002, Kevin Spett wrote:What do you mean by "IIS session cookies"? Do you mean theASPSESSIONIDfeature? And what do you mean by formed? Are you talking aboutthe PRNGbehind it, or how a developer can use them? Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "Cade Cairns" <cairnsc () securityfocus com> To: <webappsec () securityfocus com> Sent: Thursday, December 05, 2002 5:29 PM Subject: IIS session cookiesHello webappsec, I'm looking for information on how IIS session cookies areformed (thatis, what data they consist of or how they are encoded, etc.)Is anyoneaware of any papers or resources on the subject? Thanks, Cade Cairns Symantec Corporation
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- IIS session cookies Cade Cairns (Dec 05)
- Re: IIS session cookies Takayuki Nakamura (Dec 07)
- Re: IIS session cookies Kevin Spett (Dec 07)
- Re: IIS session cookies Cade Cairns (Dec 07)
- Re: IIS session cookies Kevin Spett (Dec 07)
- Re: IIS session cookies Cade Cairns (Dec 07)
- <Possible follow-ups>
- RE: IIS session cookies Michael Howard (Dec 07)
- Re: IIS session cookies securityarchitect (Dec 07)
- RE: IIS session cookies Forrest Lee Andrews (Dec 07)
- RE: IIS session cookies Kapila, Sai (Dec 08)